A serious PlayStation Network security vulnerability has been exposed – and it doesn’t require a single line of malicious code to pull off, as reported by Push Square. The exploit is a social engineering scam that weaponises just three pieces of information – a PSN username, an associated email address, and a transaction ID or purchase date – to convince Sony customer service representatives to hand over full account access. Sacred Symbols podcast host Colin Moriarty was targeted directly and brought the vulnerability to public attention, but he’s not alone: Trophy hunter Hakoom was hit by the same method and permanently lost access to his account. Every PS5 owner with a public profile is potentially at risk.
Here’s the context: This isn’t a PSN database breach or a phishing page designed to steal your login – it’s a process exploit, and that distinction matters. Attackers are abusing Sony‘s own customer support workflows, which will accept minimal personal information to verify account ownership. The kicker is that the required data – purchase dates and game titles – can be inferred from publicly available Trophy metadata. As Moriarty noted on his podcast, if your Trophy timestamps show you started earning Trophies in Resident Evil Requiem on 27th February (launch day), it’s a safe bet you bought the game that same day. X user PorkPoncho confirmed the vulnerability is real by successfully accessing his sister’s account with her permission using only two game purchases and their dates. French journalist Nicolas Lellouche was caught in a similar incident last year, signalling this isn’t a one-off. It fits a broader pattern of PS5 platform concerns – including the activity tracking and data exposure issues we’ve covered before.
Here’s the real read: The truly alarming part isn’t the vulnerability itself – it’s what happens once attackers are inside. Per Push Square‘s reporting, once a bad actor gets past customer support, they can change the account email address, disable two-factor authentication, and remove passkeys, all without any further security checks. That means you are locked out with no recourse, and potentially thousands of dollars of digital purchases are gone with you. Moriarty was able to recover his account quickly – but only because he had direct connections inside Sony. Most players don’t. The fact that this same attack vector has now claimed multiple high-profile victims, including Hakoom permanently, suggests Sony‘s support verification process has been a weak link for some time. This isn’t a theoretical edge case – it’s a scalable attack. Anyone whose Trophy history is public is carrying a partially filled-out answer sheet for anyone who wants to try. And given Sony‘s ongoing exposure to consumer trust issues – as the PSN digital games class action settlement demonstrated – the pressure to act fast here is real.
If you own a PS5, there are concrete steps to take right now. First, audit your social media history and delete any posts that include transaction IDs, purchase receipts, or order confirmations tied to PSN. Second, make your Trophy list private if your platform profile is currently public – this removes the most accessible data attackers use to infer purchase dates. Third, enable two-step verification on your PSN account if you haven’t already, and set up a passkey. While neither fully closes this particular vulnerability – attackers can still attempt to disable them via support – they do add friction. Sony has been informed of the issue by Moriarty and appears to be taking it seriously, but no patch or support policy change has been confirmed yet.
Watch for whether Sony quietly tightens its customer support identity verification requirements – specifically around email changes, 2SV removal, and passkey resets. If more high-profile cases surface in the coming weeks, expect public pressure to escalate quickly. Moriarty‘s podcast episode is the clearest account of exactly how the scam operates, and it’s worth your time if you want the full picture.
Has this changed how you think about keeping your PSN account secure – and do you think Sony‘s customer support process is fit for purpose in 2026? Sound off in the comments below, and keep your eyes on GameLuster for more PlayStation and PS5 coverage.
